A hacker managed to hit a gold mine late last week as the customer database for marketing services company Epsilon was compromised. Epsilon specializes in sending permission-based e-mail marketing for its high-profile business clients including many well-known brands.

The information exposed only amounted to names, e-mail addresses, and points balances in certain cases, but that doesn’t mean this is a breach users can ignore. The problem is, Epsilon is a service used by a lot of popular and successful customer-facing companies, meaning there’s a much greater chance all our e-mail addresses are on Epsilon’s database.

Companies Epsilon counts as customers include Ameriprise Financial, Barclays Bank of Delaware, Best Buy, Brookstone, Capital One, Disney Destinations, Home Shopping Network, Kroger, JPMorgan Chase, LL Bean Visa Card, Marriott Rewards, McKinsey & Company, New York & Company, Ritz-Carlton Rewards, The College Board, TiVo, U.S. Bank, and Walgreens. Each of those companies has been affected by this and had customer e-mail addresses stolen. It’s also not the complete list as Epsilon has over 2,500 clients and we don’t yet know how much of the company’s database was accessed.

The reason this is so serious is because whoever stole the information knows which companies Epsilon serves. It is therefore much easier to target an individual, whose full name is known, with a scam and have it succeed. As customers will be expecting regular e-mails from these companies anyway (as they gave permission to receive them), their defences are already part way down when one arrives in an inbox looking legitimate.

Each company is taking action and contacting their customers to ensure they know of the threat. There is little anyone can do now this information is out in the wild, and it’s up to individuals to be vigilant when receiving marketing e-mails from any of these companies in the coming months.

At the time of writing Epsilon’s website is down, no doubt under heavy load from people trying to find out what happened and if their e-mail address is part of the batch that was taken.